What's the Password?

We all use login IDs and passwords and—at one time or another—we forget
them. Sometimes, we don’t know we’ve forgotten them until after we’ve
locked out our account. So what’s the process of getting passwords reset
and accounts unlocked in your organization? For the typical user, it involves
calling the help desk and making a formal request. This isn’t necessarily
a bad thing, but it hits the bottom line in two ways: productivity and
security.

First, locked-out users are unproductive until their accounts are restored. This can mean waiting on the phone for 20 minutes or longer for help. Also, a help desk that spends most of its time resetting passwords and unlocking accounts isn’t productive. By removing the responsibility for password management, most help desks can reduce their call volume.

Second, when users know that getting their passwords reset and synchronized is a hassle, they may pick simple passwords they aren’t likely to forget or pick the same password for multiple accounts. Another common problem is that users may write their passwords down on a sticky note and hide it under their keyboard or mouse pad to avoid having to call the help desk. At worst, users may log in with someone else’s ID.

Some administrators cringe at the thought of users managing their own accounts. If that’s the case with you, then read on. This article evaluates several software solutions that may make password resetting self-service more reassuring.

Most self-service password software works off the same premise. Users log onto a kiosk machine and use a Web interface to unlock their accounts. The kiosk has a user name and password that’s easy to remember, and the kiosk is locked down so only the Web application used to manage accounts can launch. From here, users can restore locked-out accounts and change their passwords for any assigned accounts. Afterward, the Web page displays a report letting them know the status of their requests.

When accessing the Web page, users enter their account name and domain name (or other requested identification). Users must be authenticated to prove it’s their account they’re trying to manage. There are typically three authentication methods used:

Password authentication

Third-party authentication

Challenge/response authentication

Password authentication uses a separate password for logging into the self-service software. This password can be the same as the user’s other passwords. The problem with this is that it still leaves the possibility of the user forgetting his or her password.

Third-party authentication means a product other than the password software intercepts users’ requests and then authenticates them. It then passes this authentication information to the software, which doesn’t authenticate the user again.

I recommend challenge/response authentication. This provides better security and keeps users from calling the help desk because they forgot their self-service password. Challenge/response works by asking the user a series of random, preconfigured questions. Not all of the questions are used every time. Answering these questions correctly logs them in.

Before users can begin using self-service password software, they must be enrolled. Enrollment is the process of configuring users to verify their identity so they can manage their passwords. You can enroll users manually or users can enroll themselves. Manual enrollment requires an administrator to answer questions for each user. With self-enrollment, users register themselves by answering a series of questions. Products in this review support both manual and self-enrollment.

There are several things to consider when evaluating self-service password software. You must look at ease of use. If users can’t understand a product, they won’t use it. The platforms supported by the product are also important. If you only need to support Windows accounts, you have many options. If you need to support PeopleSoft and Oracle as well, that narrows down the list. The solution you purchase must work with all of the required platforms, or you defeat the purpose of the software.

In addition, of course, you have to consider cost. If the product you’re
looking at doesn’t fit into your budget, there’s no use considering it.
You must also look at the installation process. If the product takes three
people months to get it installed and working in your environment, you
must figure that into your cost. Also, you have to consider if it’s difficult
to install, it’ll probably be difficult to support. If you’ve decided
on using one authentication method over another, that must also be evaluated.

BMC Software’s CONTROL-SA/PassPort
PassPort runs as an extension of Enterprise SecurityStation (another BMC
product) and uses the information stored in the Enterprise SecurityStation
database. You must do a full install of Enterprise SecurityStation (ESS)
v3.1. 03 before you can install PassPort. BMC Software recommends you
review the configuration options before installation. Once installed,
many of the options are difficult to change. To access PassPort via a
Web browser, you must be running Microsoft Internet Explorer version 5.5
or 6.0 or Netscape Nav-igator version 4.7 or 6.2.

PassPort has the following hardware and software requirements:

Windows NT 4.0 Server with Service Pack 6, Windows 2000 (any version)
with SP2 or higher or Windows XP Professional. (Note that if you use Win2K
or WinXP Professional, the number of people that can connect is limited
to the number set in IIS.)

There can be user-defined questions, as well as site-defined questions. User-defined questions are unique to each user, and site-defined questions are for everyone in the company. Users can add to, delete or modify their user-defined questions but not site-defined questions.

Depending on the accounts being managed, users may have to log off and
back on again after changing their passwords to prevent being locked out.
NT users must do this because of the way Windows caches passwords. Also,
users may have a problem with multiple active sessions.

Using the basic features of PassPort was intuitive. For the advanced
features, BMC provides great documentation. Many customization parameters
listed in the manual allow the enabling or disabling of features. Because
the user interface is HTML-based, it’s easy to make modifications.

Discus Data’s ExMS Password Reset Manager
ExMS Password Reset Manager (PRM) took the longest to install. It requires
the schema to be extended for Exchange 2000 in the forest into which you’re
installing PRM. If you’re already running Exchange 2000, this isn’t a
problem. However, if you aren’t running Exchange 2000, you must extend
the schema even if you don’t plan to use Exchange 2000. This is accomplished
by running the Exchange 2000 setup with the forest prep switch (setup.exe
/forestprep). This isn’t necessarily a bad thing, but it adds hundreds
of objects—which can’t be removed—to your schema. Because the Schema Master
domain controller is the only server that can write to the schema, I recommend
running forest prep on it to cut back on network traffic. Remember: To
edit the schema, you must be logged in as a user who’s a member of the
Schema Admins group. The machine onto which you install PRM must have
the Exchange administration tools.

PRM has the following hardware and software requirements:

Win2K Server with SP1 or higher or NT 4.0 Server with SP6a

IIS 4.0 or higher

166MHz CPU

64MB RAM

80MB hard disk space

Exchange 5.5 with SP4 or Ex-change 2000 System Manager with SP1 or higher.

PRM manages NT 4.0 domains and Win2K AD, and it supports self-enrollment
and manual enrollment. To enroll, users must create a Questions and Answers
Profile. This profile contains a series of questions to be used when managing
accounts.

PRM doesn’t support as many platforms out of the box as others on the
market, which is why it costs less. However, this doesn’t mean PRM isn’t
a good product. PRM is quite good at what it does—which is manage passwords
for an NT and/or AD environment. Its interface is easy to use; and the
software performs detailed logging and e-mail notifications. According
to Discus Data tech support, PRM can be configured to work with any application
or operating system. PRM supports password authentication along with challenge/response.
Users can authenticate themselves based on their login ID, user principal
name, full name, display name, first name, last name, employee ID or e-mail
address. The administrator chooses how many fields must successfully be
answered.

Password Station.NET supports self-enrollment and manual enrollment. Password events trigger e-mails that walk the user through enrollment. Non-enrolled users must use their network credentials to enroll; they must key in their domain, username and password. Optionally, you can allow integrated authentication, which uses the credentials of the user currently logged on. You can manually enroll users by importing the answers to their security questions from another source (such as a payroll database).

Password Station. NET uses challenge/response for authentication of enrolled
users. Users are asked two questions from the pool configured during enrollment.
Password Station.NET ships with an XML file of 25 questions, and you can
easily add new ones. The answers are encrypted with an SHA1 one-way hash
and stored in the AD database or the NT 4.0 SAM.

I found myself wanting to use Password Station.NET’s Web interface rather than the other products’ because I like the way its Web page is configured.

Proginet’s SecurPass-Reset
SecurPass-Reset has two components—Web and server. The Web component services
user requests, help-desk requests and software-usage monitoring. The server
component communicates between the Web front end and SQL Server backend.
You must install SQL 6.5 or higher, and SecurPass-Reset doesn’t support
MSDE.

One complaint I have about SecurPass-Reset is the installation. I found it to be tedious, with lots of manual steps. I prefer more automated installations, as they tend to leave less room for human error and are quicker.

Installation consists of three parts: installing the server component, the Web component and SQL Server. The server component is a typical Windows installation. Installing the Web component requires manually copying files from the program directory to the scripts and wwwroot directory and configuring files with your servers’ IP addresses. Proginet provides scripts to help with the configuration of SQL. Even though the install is a bit tedious, it isn’t difficult. Proginet provides helpful documentation that walks you through each step.

SecurPass-Reset’s server component has the following hardware and software requirements:

Win2K or NT 4.0 Server

SQL Server 6.5 or newer

64MB RAM

100MB hard disk space

The Web component can be installed on Windows NT/2000, Sun Solaris, HP-UX
and IBM AIX.

SecurPass-Reset manages platforms such as Windows NT/2000, IBM OS/390 and OS/400, Unix, Sun Solaris, NetWare (NDS and Bindery) and LDAP. Users can utilize self-enrollment to set up their accounts or an administrator can do it for them manually.

Changing the questions used during challenge/response wasn’t as intuitive
as the other products. They provided a Web interface for adding questions
to the question pool. SecurPass-Reset requires editing a text file containing
the questions. This isn’t difficult, but I’d prefer to manage everything
through the same interface.

To its advantage, SecurPass-Reset supports a fair number of platforms
by default. When purchased in higher quantities, its pricing is close
to PRM, which makes it a good choice for someone concerned about price
but who needs to support more platforms than PRM. SecurPass-Reset is my
choice for small- to medium-sized companies with few platforms to support.

Final Report
All four products worked well in a Windows environment. Even though some
installations were more difficult than others, they were all straightforward
to get up and running.

But choosing which is the best of the bunch depends on what’s important to you. All vendors provided good installation documentation; however, BMC’s CONTROL-SA/PassPort was the most detailed and easy to follow. If you’re looking for a product that works across the most platforms out of the box, this is the best choice.

If you’re seeking a cost-efficient program to reduce the number of help-desk calls in your Windows environment, I’d recommend Discus Data’s ExMS Password Reset Manager or Proginet’s SecurPass-Reset. PRM’s installation is quicker and easier, but I really like the feel of SecurPass-Reset’s Web interface. However, for small Windows-based companies with fewer than 1,000 users, PRM is the most affordable solution.

Avatier’s Password Station.NET is the most complete package and gives more bang for the buck. All of the programs are intuitive, but Password Station.NET makes the most sense to me. It has a plethora of easy-to-use features.

No matter which solution you choose, your help desk will thank you, as all these products give a great return on investment.